Re: [Dime] Question on realm validity in answer messages
Jouni Korhonen <jouni.nospam@gmail.com> Thu, 08 May 2014 19:08 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769231A0119 for <dime@ietfa.amsl.com>; Thu, 8 May 2014 12:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbS3VVJYeccA for <dime@ietfa.amsl.com>; Thu, 8 May 2014 12:08:02 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id BAB521A0118 for <dime@ietf.org>; Thu, 8 May 2014 12:08:01 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id l4so4251574lbv.17 for <dime@ietf.org>; Thu, 08 May 2014 12:07:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=XXg/nLnXb6AAg0P5mdUPGoUOLOaS4fSvYpHFSgbwTRk=; b=NXJ5T21V1wnaOB9La8Mo7IoiUAFh97AZmoT9C7n/85aGDb9cq0/37+qWeN/fwWRxQe Q5wJQH7avwypRDDTxYTJf4XGqrjZ1k3OuScEtY1Q01armpnKUutTGYr+vm64fwHqbYVu pgP6FXF3hNRKv8u6FjMkieiTXBi1lqlZ99hX9MWuGOOGVddPuAFzRM+Cy8DTLogOPn31 /kmUsIB/kde24FXqveQc289lWI1mBon2Zqe/TxPCg+HRuLouDwx/5xXp1z6/P4b7XrmG ApFQAsgZa9LYCdeGv7bTTIC5zZ629WXe7PUCRQpAs3WC878e4SGTHLDa+a3LD9b7lcFg i44A==
X-Received: by 10.112.24.9 with SMTP id q9mr6219651lbf.23.1399576076371; Thu, 08 May 2014 12:07:56 -0700 (PDT)
Received: from [188.117.15.101] ([188.117.15.101]) by mx.google.com with ESMTPSA id q8sm1856786lbr.28.2014.05.08.12.07.55 for <dime@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 08 May 2014 12:07:55 -0700 (PDT)
Message-ID: <536BD60A.6070202@gmail.com>
Date: Thu, 08 May 2014 22:07:54 +0300
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: dime@ietf.org
References: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
In-Reply-To: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dime/0g4i5TPrkN3DlpQns786TX3riLU
Subject: Re: [Dime] Question on realm validity in answer messages
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 19:08:04 -0000
Your load balancer is misbehaving. Unfortunately you don't find any exact specification language to prohibit the proxy vendor doing this. - Jouni 5/8/2014 8:44 AM, Marco Stura kirjoitti: > Dear all, > > I’m facing the following situation. > > |---------------------------- > SPrealm--------------------------------------------------| > > _----------- Server 1(realm a) > > > _ > > _ > > Client ------------------ Proxy(SPrealm) ---------------- Server 2(realm b) > > _ > > > _ > > _ > > ---------- Sever 3 (realm c) > > The implementation is such that the Proxy is load balancing by selecting > the internal Server where the subscriber data are provisioned, based on > user identity. > > The Client is sending an application specific authorization request to > the Proxy for NAI user@SPrealm, Destination-Realm == SPrealm. > > The Proxy selects e.g. Server 2 based on user@SPrealm and send the > request there changing the Destination-Realm to realm b. > > Server 2 processes the request generates an answer and send it to the > Proxy with Origin-Host == server2@realm b, Origin-Realm == realm b. > > The Proxy forward the answer to the Client, that receives a successful > authorization answer from a realm that is different from the one > supposed to serve the user (as in the NAI). > > The client terminates the session with STR to Destination-Host == > server2@realm b, Destination-Realm == realm b, Termination-Cause == > Diameter_bad_answer > > The Proxy and the Servers are part of the same implementation, which > apparently requires this kind of configuration to work. > > In RFC 6733 (or RFC 3388) it is not explicitly stated how to deal with > cases where a successful authorization answer is coming from a server > located in a different realm than the home realm of the user (as per NAI). > > However, to say the least, this configuration is quite bizarre and the > client IMHO is right to terminate the session as this behavior may looks > to the client like an answer from a malicious node. But I don’t remember > any discussion on this aspects back at the Diameter protocol development > time….. > > Any opinion on this scenario? > > BR, > > Marco > > > ------------------------------------------------------------------------ > > The information in this email and any attachments thereto may contain > information that is confidential, protected by intellectual property > rights, and may be legally privileged. It is intended solely for the > addressee(s). Access to this email by anyone else is unauthorized. Any > use, disclosure, copying, or distribution of the information contained > herein by persons other than the designated addressee is unauthorized > and may be unlawful. If you are not the intended recipient, you should > delete the message immediately from your system. If you believe that you > have received this email in error, please contact the sender. Any views > expressed in this email and its attachments are those of the individual > sender except where the sender expressly states them to be the views of > Ooredoo. > > > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime >
- [Dime] Question on realm validity in answer messa… Marco Stura
- Re: [Dime] Question on realm validity in answer m… Ivan Skytte Jørgensen
- Re: [Dime] Question on realm validity in answer m… Dave Dolson
- Re: [Dime] Question on realm validity in answer m… Jouni Korhonen
- Re: [Dime] Question on realm validity in answer m… Marco Stura
- Re: [Dime] Question on realm validity in answer m… Jouni Korhonen